PHP :: Bug #27728 :: Segfault in combination of php_check

Bug #27728

Segfault in combination of php_check_syntax() and exit.

Submitted:

2004-03-27 07:47 UTC

Modified:

2004-12-11 00:17 UTC

Votes:	5
Avg. Score:	3.8 ± 1.0
Reproduced:	4 of 4 (100.0%)
Same Version:	0 (0.0%)
Same OS:	2 (50.0%)

From:

mail at patrickwitte dot de

Assigned:

ilia (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

5.0.0RC1, 5.0.1, 5.0.2

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mail at patrickwitte dot de
New email:
PHP Version:		OS:

New Comment:

[2004-03-27 07:47 UTC] mail at patrickwitte dot de

Description:
------------
This happens no matter if the checked file is syntactically ok or not or even doesn't exists.
In all cases the result of php_check_syntax() is the expexted, but if exit (or die()) is called afterwards you get a segfault.
Experienced with sapi-module and cli on linux and cli on win32. (win32-sapi not tested)

Reproduce code:
---------------
<?php
echo php_check_syntax(__FILE__) ? "Ok" : "failed";
exit;
?>

Expected result:
----------------
Ok

Actual result:
--------------
Ok

segfault

Backtrace:
#0  _emalloc (size=Cannot access memory at address 0xc
) at /home/patrick/php-5.0.0RC1/Zend/zend_alloc.c:140
140             CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-03-27 08:39 UTC] derick@php.net

Valgrind reports errors while parsing the parameter. Perhaps we free the __FILE__ stuff too early? Assigning to Ilia :)

==3720== Invalid read of size 4
==3720==    at 0x8293343: zend_parse_arg_impl (zend_API.c:301)
==3720==    by 0x8293887: zend_parse_arg (zend_API.c:450)
==3720==    by 0x8293BC1: zend_parse_va_args (zend_API.c:542)
==3720==    by 0x8293C43: zend_parse_parameters (zend_API.c:569)
==3720==    by 0x81BF10C: zif_php_check_syntax (basic_functions.c:2247)
==3720==    by 0x82B89D4: zend_do_fcall_common_helper (zend_execute.c:2689)
==3720==    by 0x82B90D0: zend_do_fcall_handler (zend_execute.c:2818)
==3720==    by 0x82B53C6: execute (zend_execute.c:1381)
==3720==  Address 0x4B20E38C is not stack'd, malloc'd or free'd
==3720==

[2004-03-27 16:30 UTC] mail at patrickwitte dot de

I made a few more test to get more systematic results:

1) Check of file(test.php) with parse error, no matter if 'php_check_syntax()' is followed by 'exit' or not, results in debug message:
/home/patrick/php-5.0.0RC1/main/streams/streams.c(371) : Stream of type 'STDIO' 0x4047363c (path:test.php) was not closed

2) Check of correct or non-existant file:
2a) without following 'exit': result as expected
2b) with following 'exit': segfault

After looking in streams.c it seems to be a memory leak.

[2004-08-23 21:35 UTC] sean@php.net

I also stumbled upon this, today.

Here is my reproduce code:
if (!php_check_syntax(NULL)) { die(); }

(segfaults)
Seems this is not related to __FILE__

I concur that if exit (die) is not called, no segfault.

S

[2004-10-24 19:09 UTC] mikael dot suvi at trigger dot ee

Version 5.0.2
This should do the trick...

====================
diff ext/standard/basic_functions.c.old ext/standard/basic_functions.c
2329a2330
>       zend_op_array *op_array;
2345c2346,2349
<       if (php_lint_script(&file_handle TSRMLS_CC) != SUCCESS) {
---
>       op_array = zend_compile_file(&file_handle, ZEND_INCLUDE TSRMLS_CC);
>       zend_destroy_file_handle(&file_handle TSRMLS_CC);
>
>       if (!op_array) {
2354a2359,2360
>               destroy_op_array(op_array TSRMLS_CC);
>               efree(op_array);
====================

[2004-10-25 19:54 UTC] mail at patrickwitte dot de

Tested the patch on gentoo mod_php-5.0.2 ebuild.
No more segfault with reproduce code.
Thanks, mikael.

[2004-12-11 00:17 UTC] andi@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC